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1 Executive Summary 


1.1 Background 

The Information Commissioner's Office (ICO) continues to see significant 
externally driven change to its operating environment. Beyond this, 
management informs us of organisational drives to improve efficiency, 
effectiveness and greater levels of 'joined-up' working. Such changes will 
require realignment of strategic and operational plans, with decisions to be 
made on the course of action to be taken to meet long term objectives, as 
well as having to respond to short term demands on resources. 


Our review has sought to assess the structures and processes in place to 
make key decisions within the organisation and the basis on which they 
have been made and communicated. 


1.2 Scope 
Our review has focused on the decision making structures in place at 
Management Board (MB) and Executive Team (ET) meetings, considering: 
o Approval processes; 
o Supporting documentation; 
o  Prioritisation; and 
o Follow up and communication. 


1.3 Approach to delivery of scope 

We have carried out our review against the agreed scope through a series 
of meetings with members of the Executive, including the Information 
Commissioner, and with two Non-Executive Directors (NEDs), as well as 
other key stakeholders involved in the governance structures. 


Our meetings have been supported by reviews of meeting minutes, papers, 
terms of reference and other relevant documentation. 
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1.4 Conclusion 


Overall, the ICO has established broadly fit for purpose governance 
arrangements and structures that have served its needs to date. Moreover, 
those arrangements compare more favourably than those we have seen in 
place at other Corporations Sole. We have identified areas where existing 
arrangements can be improved, in response to helping the ICO tackle its future 
challenges rather than address significant weaknesses. 


As a Corporation Sole, the responsibility and accountability for decision making 
is vested within the Information Commissioner and the governance structures in 
place are utilised as forums to input into and challenge proposed courses of 
action. However the Commissioner clearly cannot make every decision within 
the organisation and many decisions are delegated; it is however unclear as to 
where delegated authorities lie. 


The ET comprises senior ICO staff and meets formally roughly twice every 
month and informally in between each meeting. Members responded positively 
to the format and open nature of the meetings; however we found that there was 
a focus on operational matters. There is a requirement for greater focus on the 
ICO’s strategic direction or performance. 


The MB comprises members of ET and four Non-Executive Directors. This is an 
advisory board and not a decision making body. Again, there was positive 
feedback from those we spoke to (both at Executive and NED level) on the 
meetings and the discussion and challenge that takes place before actions are 
agreed. 


For both ET and MB meetings, there was a disparity between the level of 
debate, challenge and discussion which members characterised and the 
meeting minutes. Further the processes to follow up agreed actions to their 
conclusion should be improved. 


The NEDs also provide valued support outside of the formal meetings on 
specific projects and activities. 


More recently, a Leadership Group (LG) has been established, with intentions of 
it being a decision making body. There is no guidance as to where decisions 
will be made and what the various powers of delegation are to each 
Group/Board. 


In the rest of the report we explore these matters further. 
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2 Key findings and recommendations 


We set out below our key findings and recommendations. 


Corporation Sole and impact on decision making 

Findings 

Our review has been carried out under the continued awareness of the role 
that the Information Commissioner has as a Corporation Sole, an 
independent official appointed by the Crown and accountable to 
Parliament. 


This provides a different governance structure to a traditional Board, with 
all decision making responsibility vested within the Information 
Commissioner. Therefore, whilst both the MB and ET’s terms of 
reference highlight their respective responsibilities, there is little in the way 
of documented formal decision making processes or delegated authorities. 
Clearly in any organisation there is a need to make some level of decisions 
at all levels. Given the responsibility and accountability for the 
Commissioner we would expect to see either formal delegations of 
authority, or matters reserved for the Commissioner. 


Overall, we have found that such arrangements have been largely fit for 
purpose to meet the ICO's needs to date. However given the external 
pressures and evolving internal and external environments, the 
Information Commissioner should keep the governance arrangements 
under continual review. 


Our discussions and review did identify a lack of clarity over what 
information is taken to MB and ET to discuss prior to a decision being 
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taken or actions being agreed. The terms of reference provide some level 
of guidance, but this is focussed around financial thresholds. 


Recommendations 

1. It should be clarified where decisions are to be made, based on either 
clearly matters reserved for the Commissioner, or through specifically 
delegated powers. 

2. The terms of reference for ET and the MB should make clear the 
information that they receive for discussion prior to decision making. 


Executive Team 

Findings 

This small group of senior staff formally meets on a bi-monthly basis and 
has informal catch up meetings in the intervening periods. 


Our meetings with members of the ET identified a consistent view that the 
ET is seen as the "engine room" of the organisation. Particular positive 
views expressed where that as a small group representing the operational 
and policy aspects of the organisation there is a good level of debate 
amongst members, who are willing to challenge each other in a healthy 
way. 


Their size and frequency of meetings were also cited as positive attributes 
to enable issues to be tackled as they arise, but in a formal environment. 


All members of Executive we met with commented positively on the level 
of discussion, debate and challenge that takes place within meetings. Our 
review of the meeting minutes and supporting papers found that it was 
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difficult to substantiate the level of challenge, debate and discussion raised 
in the meetings that had been identified to us. 


Further, we found that the focus of meetings is largely on the financial and 
operational matters of the organisation with little to no review of on-going 
performance against the Strategy or discussions on how a shifting 
landscape will impact on the current and future risks and strategy of the 
ICO. 


It is also unclear, both from the ET's terms of reference, and from the 
meeting minutes themselves, what protocols exist surrounding the 
information to be reported by ET to the MB, and how discussions or 
actions agreed at MB are reflected upon at ET. 


Recommendations 

3. ET should ensure that there is sufficient focus on the delivery of the 
strategy and how the organisation is working to address the more 
medium to long term strategic challenges. To achieve this, the ET 
should ensure that: 


© it confirms that the strategy is sufficient to meet the needs of the 
ICO in defining the direction of the organisation and the key aims, 
objectives and goals of the Strategy, against which progress can be 
measured; and 
e progress against those measures should be received and scrutinised 
by the ET to enable a wider discussion and debate on longer term 
themes. 
4. Meeting minutes should be prepared in a manner that capture the key 
challenges and discussion points with the ET that inform the agreed 


coutse of action. This should also be considered for other meetings 
(e.g. MB/LG). 


Management Board 


Findings 
MB comprises four NEDs and the members of ET. 
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A consistent view we received with those we met with was that MB is not 
a decision making body. Itis seen as an advisory panel to the Information 
Commissioner, where NEDs can bring to bear their skills and experience 
from outside the organisation to challenge, question and input into the 
discussions and decisions made by the Information Commissioner. 

Each meeting starts with a scene setting update from the Information 
Commissioner, which is seen as valuable by all NEDs in providing insights 
into the internal and external challenges facing the ICO. 


Recommendations 

5. Given the ICO's strategy has been published, we would expect the 
discussions and thus the agenda, at such meetings to be aligned to the 
core components of this strategy. 


Non-Executive Directors 

Findings 

NEDs are appointed based on their skills and experience outside of the 
ICO, with an aim to maintain an effective balance of Whitehall and 
corporate experiences within the group of NEDs. Currently there is a 
balanced skillset, but with changes in membership due, that balance will 
need to be maintained. 


There is an induction process for NEDs, but this is not then supported by 
formal ongoing training. There was however clarity from ET and the 
NEDs we spoke to that NEDs were expected to keep themselves up to 
date with relevant developments. The Information Commissioner's regular 
updates to MB meetings were also cited as providing valuable ongoing 
insights into developments both within and effecting the ICO. 


Many we spoke with, including the NEDs themselves, highlighted that the 
real value of the NEDs is achieved from the support they provide outside 
of the meetings on projects/other matters where they are called in. 
Questions were raised by some as to whether NEDs could be used more 
often in this way, to work alongside the organisation on specific projects. 
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One interviewee suggested the NED role is replaced with bringing in 
people with such skills as consultants to specific projects. However this 
removes the independent role of the NED, which was widely seen as a 
useful point of challenge to the ICO. It also isolates the NEDs as 
individuals, whereas a forum such as the Audit Committee or MB provides 
the collective experience and insights of the range of NEDS. 


Both NEDs we spoke to valued the strategy day that they attend annually 
as an opportunity to provide independent input and challenge. However 
the timing of this review means that by this point in the cycle the strategy 
is largely agreed and the value of the NED input is therefore limited. 


Recommendations 
6. The NEDs should be formally engaged prior to the strategy away day 
to input into the ICO strategy whilst it is still being formed. 


7. Allocate NEDs to ongoing ICO projects/strategic activity to provide 
independent challenge and scrutiny to the activities. 


8. Ensure that the balance of corporate and Government skills mix of the 
NEDs is maintained as part of the next recruitment process. 


Leadership Group 

Findings 

The LG was established in November 2012 and comprises members of 
ET as well as other managers from across the organisation. There are no 
terms of reference in place for the Group. From those that we have held 
discussions with and from papers we have seen, we understand it has been 
set up as a decision making group. However without terms of reference or 
a clear understanding from those we met with as to what it will make 
decisions on there is a question as to how it fits in with the work of the 
ET. 


Further, during our meetings comments were made regarding the difficulty 
in finding agenda items for the LG to discuss. 
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From those we met with, there was a mixed view, both at Executive and 
NED level as to whether the LG will be effective as a decision making 
group within the existing governance framework. 


We see the benefit in regular meetings of management across the 
organisation to share information and foster a culture of understanding 
what different parts are doing in pursuit of operational and strategic 
objectives. This would be different to a decision making body, but could 
still have input into strategy setting, performance monitoring and risk 
management arrangements. It could also be used as a forum to 
disseminate relevant points from the ET/MB meetings. 


Recommendations 

9. As Corporation Sole, the Commissioner utilises the Leadership Group 
to disseminate and inform a wider management group. When the 
Commissioner is present at the Leadership Group decisions can be 
made. Where decisions are made at this Group, the ICO must ensure 
they are appropriately minuted and decisions communicated, as with 
other groups. 


Effective follow up of actions 

Findings 

At both ET and MB meetings we have seen papers presented and actions 
agreed for follow up in the future which are omitted from future agendas. 


The discipline of following up agreed actions and tracking the 
implementation of decisions is critical to ensure that the governance 
process is being applied in line with agreed delegations and remits across 
the ICO. 


Recommendations 
10. Establish formal action tracking logs for MB/ET, with items retained 
on there until they are concluded upon. 


11. We recognise that it may not be practical for management to identify 
exactly what they are going to do and by when to address the 
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recommendations proposed in this report. We suggest that in say 18 
months' time, the Information Commissioner, or other appropriate 
member of management, provide a formal update to the Audit 
Committee on the actions taken to address the recommendations and 
how they have helped improve governance across the ICO. 


This would be more pragmatic than reporting progress against them at 
each Audit Committee meeting. 


2.1 Elsewhere in the sector / Points of interest 
The establishment of Police & Crime Commissioners has seen the 
introduction of a new cohort of Corporations Sole. 


While the codes of corporate governance in place provide an overview of 
the roles and responsibilities of the PCC, and include delegated authorities 
of chief finance officers and deputy commissioners, we have yet to see a 
PCC that supports itself with a MB similar to the ICO's. Mandatory 
panels are in place to challenge the PCC on delivery of its Crime 
Prevention Plan, however these comprise elected local authority members 
rather than non-executives. 


When we have looked wider at other Corporations Sole, we have again 
seen a lack of formal, non-executive support (outside of an audit 
committee) provided to the Corporation Sole. This suggests that what the 
ICO has put in place is unique and with little direct reference for best 
practice. Therefore our recommendations have been positioned by being 
ptagmatic to the size and remit of the ICO, but also considering those 
elements of good practice that are applicable from organisations with a 
Board structure. 


2.2 Acknowledgement 
We would like to take this opportunity to thank the staff involved in this 
audit for their co-operation during this internal audit. 
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3 Recommendations 
Corporation Sole and decision making 
Recommendation Management response 
1. It should be clarified where decisions are to be made, Unsure. 
based on either clearly matters reserved for the As background the Commissioner, as Corporation 
Commissioner, or through specifically delegated powers. Sole, is ultimately responsible for all decisions made 


at the ICO. However the Data Protection Act 
provides him with the power to delegate decisions. 
The Commissioner has appointed a Board (MB) to 
advise and support him in his work and has an 
Executive Team (ET) comprising senior managers 
who make decisions either collectively as ET or in 
their own right. Terms of reference define the roles 
of MB, ET and other governance groups and where 
budgets are delegated there is a record of this. 


Managing Public Money clearly states that as 
Accounting Officer the Commissioner must 
personally sign the accounts, annual report and 
governance statement. 


There is therefore an articulated system of 
delegation which already provides some clarity. It 
could be clearer, however, given that the current 
system allows short term flexibility in decision 
making in the absence of the Commissioner, and 
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given the size and nature of the ICO, it is not 
proposed to compile a fuller list of matters reserved 
for the Commissioner. This does not mean however 
that the current system is not capable of being 
improved and the matter will be kept under review. 


To be kept under review 


2. The terms of reference for the ET and the MB should make 
clear the information that they receive for discussion prior to 
decision making. 


Agreed. 


It is the case that there are standard agenda items 
for MB which effectively define what papers come to 
the Board, and standard cover sheets for ET papers 
which define what information is required for 
decisions. However the terms of reference for the 
various governance committees can be reviewed to 
see if the information requirements can be made 
more explicit. 


This is to be done by the April 2014 MB. 


ET 


3. The ET should ensure that there is sufficient focus on the 
delivery of the strategy and how the organisation is working to 
address the more medium to long term strategic challenges. 
To achieve this, the ET should ensure that: 

e The ET confirms that the strategy is sufficient to meet 
the needs of the ICO in defining the direction of the 
organisation and the key aims, objectives and goals of 
the strategy, against which progress can be measured; 
and 


Agreed in principle 

Strategy relates to the long term or overall aims of 
the organisation and how these are to be achieved; 
eg the Information Rights Strategy and the rolling 
three year ICO Plan. 

The Information Rights Strategy was published in 
December 2011 and has not been updated since. 
The ICO Plan is updated annually, and currently the 
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Progress against those measures should be received 
and scrutinised by the ET to enable a wider discussion 
and debate on longer term themes. 


ICO is consulting on a high level statement of 
direction to help inform development of its plans. 


In respect of the first part of the recommendation 
therefore the ICO ought to ensure that strategies 
such as the Information Rights Strategy are at least 
reviewed annually by MB to ensure that they still 
meet the needs of the organisation. At the moment 
this is done in part. 


In respect of the second part, that progress be 
measured, MB undertakes a quarterly review of 
performance against the ICO Plan but ET does not. 
And progress against the Information Rights 
Strategy has not been measured in either forum. 
However, the ICO Plan directly references the 
strategic outcomes from the Information Rights 
Strategy and links these to the corporate objectives. 
So there is a link between performance against the 
ICO Plan and the Information Rights Strategy. 
There is therefore a mixed story to tell. And it is 
difficult to identify specific actions which will make 
ET more strategic, and indeed to measure whether 
this happens. 


To keep under review. 


4. Meeting minutes should be prepared in a manner that 
capture the key challenges and discussion points with the ET 
that inform the agreed course of action. This should also be 
considered for other meetings (e.g. MB/LG). 


Agreed in principle. 

Meeting minutes follow two different styles at 
present. For example MB minutes are fuller and 
contain more discussion than ET where the minutes 
now follow a format explicitly detailing “issue” and 
“decision” in quite a succinct way. This reflects the 
different nature of the meetings. 


Both styles do seek to capture the key points of the 
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discussion and the reasons for any decision, but 
without repeating detail which is normally found in 
supporting papers. 


However supporting papers are not always published 
so it is recognised that in some cases readers of the 
minutes alone might not get the full picture. 


It is also worth noting that the fuller style of 
minutes do take longer to write and agree than 
shorter minutes. 

Having said this, there is an opportunity to consider 
how best to capture the key challenges and 
discussion points in the minutes as stand-alone 
documents and this will be done. 


To keep under review. 


Management Board 


5. Given the ICO's strategy has been published, we would 
expect the discussions and thus the agenda, at such meetings 
to be aligned to the core components of this strategy. 


Unsure. 


Whilst in theory a direct alignment of the MB agenda 
and papers with the objectives in the ICO Plan (for 
example) seems sensible, the current agenda and 
papers have evolved over time and feedback from 
MB members has not indicated any problem. This 
does not mean new approaches should not be tried 
and over the course of the next few years the 
current agenda and style of papers will evolve. 


To keep under review. 


Non-Executive Directors 


6. The NEDs should be formally engaged prior to the strategy 
away day to input into the ICO strategy whilst it is still being 
formed. 


Agreed in principle. 
We do need to recognise that the Executive has to 
have an idea of the strategy before discussion with 
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the NEDs. At the same time they need to be 
prepared to change that strategy if the NEDs 
suggest it. 


To keep under review. 


7. Allocate NEDs to ongoing ICO projects/strategic activity to 
provide independent challenge and scrutiny to the activities. 


Agreed in principle. 

To an extent this takes place already. However there 
is a need to ensure that this happens, linked to the 
annual review of NED performance by the 
Commissioner. 


To keep under review. 


8. Ensure that the balance of corporate and Government skills 
mix of the NEDs is maintained as part of the next recruitment 
process. 


Agreed in principle. 

This also cropped up as part of the annual self- 
assessment exercise for the ICO’s committees. The 
Commissioner is aware of the need to ensure a 
balanced NED intake and this will be taken into 
account when the next exercise takes place in 2015. 


To keep under review. 


Leadership Group 


9. As Corporation Sole, the Commissioner utilises the 
Leadership Group to disseminate and inform a wider 
management group. When the Commissioner is present at 
the Leadership Group decisions can be made. Where 
decisions are made at this Group, the ICO must ensure they 
are appropriately minuted and decisions communicated, as 
with other groups. 


Agreed in principle. 

This happens already but as the Leadership Group 
develops the style and content of the minutes will be 
continually reviewed and revised if needed. 


To keep under review. 


Effective follow up of actions 


10. Establish formal action tracking logs for MB/ET, with items 


Agreed. Currently logs of outstanding action points 
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retained on there until they are concluded upon. 


are kept for all meetings where Corporate 


Governance provides secretariat support. These logs 


(or similar) can easily be extended to cover 
decisions made at the meetings which would not 
normally merit an action point as such. 


Complete. 


11. We recognise that it may not be practical for management 
to identify exactly what they are going to do and by when to 
address the recommendations proposed in this report. We 
suggest that in say 18 months' time, the Information 
Commissioner, or other appropriate member of management, 
provide a formal update to the Audit Committee on the actions 
taken to address the recommendations and how they have 
helped improve governance across the ICO. 


This would be more pragmatic than reporting progress against 
them at each Audit Committee meeting. 


Agreed. 
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A Internal audit approach 


Approach 

Our audit has been carried out in accordance with the guidance 
contained within the Public Sector Internal Audit Standards (2013), and 
the Auditing Practices Board’s “Guidance for Internal Auditors’. 


Our internal audit approach is based upon the underlying principles of 
the UK Corporate Governance Code (2012) that requires management 
to identify, assess and manage the risks that are significant to the 
achievement of the organisation’s overall business objectives. Our role 
as internal auditor is to provide objective and independent assurance to 
the Board and management that it is doing so successfully for each of 
the areas being audited. 


We have achieved our audit objectives by: 


e meeting with key staff to gain an understanding of the decision 
making and prioritisation arrangements in place, building upon the 
information we have already gained through our audit planning 
process; 

e reviewing key documents that support the processes in place; and 

e assessing how the ET prioritise, communicate, monitor and report 
on key decisions and the implications that such decisions may have 
on strategic objectives and day to day operations. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
governance arrangements. 
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Responsibilities 

It is the responsibility of management to ensure that there are adequate 
controls and activities in place to ensure that the organisation's business 
objectives can be met and that the risks to the organisation are 
minimised. 

Additional information 

Client staff 

The following were consulted as part of this review: 

e Neil Masom: Non-Executive Director 

e Andrew Hind: Non-Executive Director 

e Christopher Graham: Information Commissioner 

e 


Graham Smith: Deputy Commissioner and Director of Freedom of 
Information 


David Smith: Deputy Commissioner and Director of Data 
Protection 


Daniel Benjamin: Director of Corporate Services 

Simon Entwisle: Director of Operations 

Peter Bloomfield: Senior Corporate Governance Manager 
Andrew Cryer: Head of Finance 


Mike Collins: Head of Organisation Development 
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